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e Summary 


Active Directory is the backbone of identities for many organizations around the world, but it is 
often not managed well, which open the doors for attackers to compromise it in a minute or 
two. 


It is very expensive to recover an AD, so security needs to be enforced. ADSA contains different 
technical security controls and procedures to protect AD on a better state. The goal of ADSA is 
to help your team working together to improve the security posture of AD without pitching a 
third-party vendor or trying to sell you a security product. 


Enjoy! 


e Foreword 


Microsoft provides Active Directory Security Assessments for their customers, which is great, but 
unfortunately not everyone has the money nor the people to do these kind of Security Assess- 
ment, and since AD is the backbone of identities for many organizations. It is crucial to protect it, 


right? 


Despite that, | wanted to purely focus on something else than AD. | started to release something 
similar as ADSA, but a bit of my own version, which does not mean, that you would immediately 
be 100% secure if you follow all of these recommendations. The goal of ADSA is to improve the 

security posture of AD and slow down an attacker, while trying to ensure that the recommenda- 


tions will not break any stuff in production. 


Different examples from real world experience has been covered, where | have managed to see 


these misconfigurations in production environments. 


e Introduction 


e Backups 
1.1) | Domain Controllers 
1.2) DHCP 
1.3) DNS 
1.4) PKI 


e Domain Controllers 
2.1) | Hardening settings 
2.2) Disabling unnecessary services 
2.3) Auditing last back-up of the DC 
2.4) Restore plan 
2.5) | Procedure for rotating the password of the KRBTGT account 
2.6) | Procedure for managing the password of the DSRM account 
2.7) Improve auditing rules 


e Access Control List 
3.1) | Running periodically ACL scans 
3.2) Control ACLs that has been set on the OU of the Domain Controllers 
3.3) | Control ACLs that has been set on the DC computer objects 
3.4) | Control ACLs that has been set on all Domain Admins and equivalent users 
3.5) | Control ACLs that has been set on groups like Domain Admins, Enterprise Admins, Admin- 
istrators and equivalent with the likes of the "Operators" group 
3.6) | Control ACLs that has been set on the DNS Object 
3.7) | Control ACLs that has been set on GPO's that are linked to the DC 
3.8) | Control ACLs that has been set on the Domain Object 
3.9) | Run BloodHound to find more escalation paths 


e Best practices 
4.1) — Enabling Active Directory Recycle Bin 


4.2) Delegating rights to restore (deleted) objects out of Recycle Bin 

4.3) Donot use the following groups: Account Operators, Server Operators and Print Opera- 
tors, but delegated the rights. 

4.4) — Enabling SID Filtering 

4.5) Remove sIDHistory after migration 

4.6) Tier 0 admins need to be a member of the Protected Users, group 

4.7) | Tier O admins need to have the "Account is sensitive and cannot be delegated" 
checkmark. 


DNS 
Backup and restore plan for DNS 
DnsAdmins 


DHCP 
Backup and restore plan for DHCP 


PKI 

Backup and restore plan for PKI 
Enable auditing rules 

Monitor relevant PKI event logs 
Hardening settings for PKI 


Password Policies 

Fine-Grained Password Policies for service accounts 
Fine-Grained Password Policies for IT Admins 
Upgrade Default Password Policy in AD 


Weak or insecure configurations 
Accounts with SPN's in high-privileged group 
Pre-authentication disabled on accounts 
Servers with Unconstrained Kerberos Delegation 


Security Check 

Ensure AdminSDHolder is in clean state 
Create honey user to detect Kerberoast 
Monitor high-privileged groups 

Event Logs to monitor 


MSFT Administrative Tier Model 


Deploy a Microsoft Administrative Tier Model or a similar model 
Define which assets needs to be managed from a Tier 0 


Best practices for managing GPO's in a Tier model. 


e 1.1—- Backups of Domain Controllers 


Task Tier 0 admins 
Permission Required Domain Admins or equivalent. 
Least-Privilege Backup Operators 

e Summary 


Making back-ups of Domain Controllers is a crucial part of every organization, because Domain 
Controllers are responsible for handling authentication in a network. A DC authenticates users, it 
stores all the credentials of users in a DIT file, and it enforces a security policy for a Windows 
domain. A DC is like the keys to the kingdom of an organization, and it needs to be secure ona 
high level. Since Domain Controllers are so crucial. It is critical to make back-ups and store them 
securely. 


There are different solutions in the market to make back-ups of Domain Controllers, but since 
the purpose of ADSA is not to pitch a vendor. We will use standard features that are available in 
Active Directory, which is in this case. Windows Server Backup. 


e Log on the DC and make sure Windows Server Backup is installed. 
e Run PowerShell with elevated rights 


Import-Module ServerManager 
Install-WindowsFeature Windows-Server-Backup 


=e) = 


W ClOW 
Copyright (Cc) 2016 Microsoft Corporation. All rights reserved. 


PS C:\Users\Testing.IDENTITY> Import-Module ServerManager 
PS C:\Users\Testing.IDENTITY> Instal1-windowsFeature Windows-Server-Backup 


Success Restart Needed Exit Code Feature Result 


Success {windows Server Backup} 


e Check if Windows Server Backup is installed 


Get-WindowsFeature | where {S_.Name -eq "Windows-Server-Backup"} 


PS C:\Users\Testing.IDENTITY> Get-WindowsFeature | where {$_.Name -eq “Windows-Server-Backup" } 


Name Install State 


Windows-Server-Backup Installed 


e Use Windows Server Backup to create back-ups 
e There are two sort of backups: "Backup Schedule" and "Backup Once" 
e Inthis example, "Backup Schedule" will be the example. 


Open Windows Server Backup 
Click on Backup Schedule 
Click on Custom 
Next 
Click on "Add Items" 
Select "System state" 
Choose how often you want to run backups. | will keep it by default. 
Click next 
Select where you want to store back-ups 
. Click next 
. Select the disk to store the back-ups 
. Click next 
. Click Finish 
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Scheduled Task with the name ''Microsft-Windows-WindowsBackup" will be created. 


v ©) Windows a 

(5) .NET Frame 
(5) Active Direc 
(5) ApplD 

(aad Application 
(1) Application 
(1) AppxDeplo: 
(4) Autochk 


| Bluetooth 
(5) Certificates 
1) Chkdsk 
©) Clip 


() CloudExper General Triggers Actions Conditions Settings History 
(5) Customer E 


1) Data Integri Name: Microsoft-Windows-WindowsBackup a 
( Defrag 

() Device Info 
TM) Neviee Sete: 


Name Status Triggers Next Run Time Last Run Time Last Run Result 
@ Microsoft-W... Ready At9:00 PM every day 1/23/2020 9:00:00 PM 11/30/1999 12:00:00 AM The task has not ye) 


Location: | \Microsoft\Windows\Backup 
Author: CORP\DCS 


After the back-up schedule has been completed. It will be displayed in the GUI of the Windows 
Server Backup. 


Messages (Activity from last week, double click on the message to see details) 


Time Message Description 
€9 1/23/2020 1:03 PM Backup Failed 
@)) 1/23/2020 1:03 PM Backup Successful 
Status 
Last Backup Next Backup 
Status, Scheduled 
Time: 1/23/2020 1:03 PM Time: — 1/23/2020 9:00 PM 
£3 View details E) View details 


All the event logs regarding back-ups can be found at Microsoft-Windows-Backup\Operational, 
and event 14 tells that a backup has been completed. 


> [5 AppxPackagingOM == a | ORPEET ee een 


> © AsN1 


» 15 AssignedAccess Level Date and Time Source EventID Task Categor 
> (5) AssignedAccessBroker @ Information 1/23/2020 2:18:00 PM Backup 14 None 
> (5) ATAPort @ Information 1/23/2020 2:18:00 PM Backup 4 None 
> (4 Audio oe Error 1/23/2020 1:03:57 PM Backup 20 None 
> ©) Authentication @ Information 1/23/2020 1:03:55 PM Backup 1 None 
> (5) Authentication User In @ Information 1/23/2020 1:00:02 PM Backup 99 None 


> ©) BackgroundTaskinfras 
>» (9) BackgroundTransfer-C 
v ©) Backup 


>» ©) Base-Filtering-Engine- 


e 1.2 -— Backups of DHCP 


Task Tier 0 admins 


e Summary 


A DHCP Server is a (network) server that automatically provides and assigns IP addresses to client 
devices, but not only IP addresses. It also assigns default gateways and other network parame- 
ters. DHCP is a crucial part, because DHCP allows devices to participate in a network by allocating 
IP addresses to clients. It verifies against AD to check if it is authorized to lease IP addresses. 


e Log on the DHCP server 
e Run PowerShell with elevated rights 


Backup-DhcpServer -ComputerName "IDENTITY-DC" -Path "C:\Temp" 


Here we are making a backup of our DHCP configuration. 


PS C:\Users\Testing.IDENTITY> 
PS cC:\Users\Testing.IDENTITY> Backup-DhcpServer -ComputerName “IdentityManager"™ -Path "C:\Temp" 
PS c:\ 


Users\Testing.IDENTITY> @ 


We are storing our DHCP configuration in the Temp directory. 


h C\Temp vice 
ites Name Date modified Type 
top : 
}. new 1/24/2020 8:56 AM File folder 
qloads 
DhcpCfg 1/24/2020 8:56AM File 
nt places 


DhcpCfg is the configuration file of the DHCP 


Now the second part is to restore the DHCP configuration 


Restore-DhcpServer -ComputerName "dhcpserver.contoso.com" -Path "C:\Temp" 


PS C:\Users\Testing.IDENTITY> Restore-DhcpServer -ComputerName "IdentityManager" -Path "C:\Temp" 


confirm 
The DHCP server database will be restored from the file C:\Temp. Do you want to want to perform this action? 
[N] No [S] Suspend [?] Help (default is "Y"): Y 


PS C:\Users\Testing.IDENTITY> » 


Last, but not least. We now need to restart the DHCP server. 


Restart-service dhcpserver 


PS cC:\Users\Testing.IDENTITY> Restore-DhcpServer -ComputerName "IdentityManager" -Path "C:\Temp" 


confirm 


The DHCP server database will be restored from the file C:\Temp. Do you want to want to perform this action? 
[N] No [S] Suspend [?] Help (default is "Y"): Y 


PS C:\Users\Testing.IDENTITY> » 


Backup of DHCP has been made and restored. 


e Recommendations 


DHCP is a very important part to backup, but since we know that ransomware, attacks are going 
after backups as well. It is recommended to have an offline DHCP backup as well. 


What do! mean with offline backups? | made a DHCP backup and stored all the configuration 
data in the C:\Temp folder. 


The entire configuration data that is stored in the C:\Temp folder needs to be stored somewhere 
else as well, which should be an offline server (without internet connection) that is NOT joined to 
Active Directory. 


Last, but not least. A procedure needs to be in place to have a plan for making offline DHCP 
backups and a concrete plan on how to restore it. 


[(h C\Temp! vie 
ites Name Date modified Type 
top ; 
). new 1/24/2020 8:56AM _ File folder 
qloads 
DhepCfg 1/24/2020 8:56AM File 


nt places 


e 1.3 -— Backups of DNS 


Task Tier 0 admins 


e Summary 


DNS is a resolution method for resolving hostnames to IP addresses. Active Directory relies on 
DNS. In Active Directory, DNS maintains a database of services that are running on a network. 
The list of services running are managed in the form of service records (SRV). 


Service records allow a client in an active directory environment to locate to a service, like the 
file server for example. This is a crucial part to take in the backup plan as well. Do not leave DNS 
out of the backups. 


& DNS Manager 
File Action View Help 


@#e9\fn\| aa\bm| i 6S 


& DNS Name Type Status DNSSEC Status Key Master 
vos Ed_msdcs.corp.contoso.com Active Directory-Integrated Pr... Running Not Signed 


vy >) Forward Lookup Zones 
[5] _msdcs.corp.contoso 
[5 corp.contoso.com 


Edcorp.contoso.com Active Directory-Integrated Pr... Running Not Signed 


e Log on the DC 
e Run PowerShell with elevated rights 


Dnscmd /zoneexport _msdcs.contoso.com _msdcs.contoso.com.txt 


Dnscmd /zoneexport corp.contoso.com corp.contoso.com.txt 


Copyright (C) 2016 Microsoft Corporation. All rights reserved. 


PS C:\windows\system32> /zoneexport _msdcs. corp. contoso. com _msdcs. corp. contoso. com. txt 


DNS Server . exported zone : ; 
_msdcs.corp.contoso.com to file C:\windows\system32\dns\_msdcs. corp. contoso. com. txt 
Command completed successfully. 


PS C:\windows\system32> /zoneexport corp. contoso.com corp. contoso. com. txt 
DNS Server . exported zone 


corp. contoso.com to file C:\windows\system32\dns\corp. contoso. com. txt 
Command completed successfully. 


All the DNS configuration is now stored in C:\Windows\System32\dns 


in| C:\Windows\System32\dns vl Search dns 


“~ 


ts #* Name Date modified Type 
al in} backup 1/24/2020 12:09AM File folder 
le B samples 1/18/2017 11:34 AM _ File folder 
Lj _msdcs.corp.contoso.com.dns 1/18/2017 11:54 AM DNS File 
: (E:) ‘=| _msdcs.corp.contoso.com 1/24/2020 1:42 AM __ Text Document 
|] cache.dns 1/18/2017 11:54 AM = DNS File 
|_| corp.contoso.com.dns 1/18/2017 11:54 AM DNS File 
=| corp.contoso.com 1/24/2020 1:43 AM Text Document 
ts Ey dns 1/24/2020 12:09 AM = Text Document 
Is 


| am now going to delete the corp.contoso.com FWLZ 


& DNS Name Type Data 
v oc T_msdcs 
v (5) Forward Lookup Zones a ea 


> ) Reverse Lookup Zones 
> (5) Conditional Forwarders 


A Do you want to delete the zone corp.contoso.com from the server? 


[ ve |] Lie] 


1. Create a new FWLZ and uncheck the following box 


Select the type of zone you want to create: 


@)Primary zone 
Creates a copy of a zone that can be updated directly on this server. 


O)Secondary zone 


Creates a copy of a zone that exists on another server. This option helps balance 
the processing load of primary servers and provides fault tolerance. 


© Stub zone 


Creates a copy of a zone containing only Name Server (NS), Start of Authority 
(SOA), and possibly glue Host (A) records. A server containing a stub zone is not 
authoritative for that zone. 


[_]Store the zone in Active Directory (available only if DNS server is a writeable domain 
controller) 


2. Type "corp.contoso.com" as zone name. 


The zone name specifies the portion of the DNS namespace for which this server is 
authoritative. It might be your organization's domain name (for example, microsoft.com) 
or a portion of the domain name (for example, newzone.microsoft.com). The zone name is 
not the name of the DNS server. 


Zone name: 
3. Select "using existing file" and type: corp.contoso.com.txt 


Do you want to create a new zone file or use an existing file that you have copied 
from another DNS server? 


O Create a new file with this file name: 


@ Use this existing file: 


To use this existing file, ensure that it has been copied to the folder 
%SystemRoot%\system32\dns on this server, and then click Next. 


4. Click next and then finish 


Completing the New Zone Wizard 


You have successfully completed the New Zone Wizard. You 
specified the following settings: 


Note: You should now add records to the zone or ensure 
that records are updated dynamically. You can then verify 
name resolution using nslookup. 


To dose this wizard and create the new zone, click Finish. 


5. Everything has been restored again. 


&, DNS 
v a DC 
v (5) Forward Lookup Zones 


> (=) _msdes.corp.contoso.com 
vL__corp.contoso.com 


> El _msdes 

> © _sites 

> G tep 

> © _udp 

> (©) DomainDnsZones 

> ©) ForestDnsZones 
> (5 Reverse Lookup Zones 
> ©) Conditional Forwarders 


me ForestDnsZones 

A (same as parent folder) 
A (same as parent folder) 
A (same as parent folder) 
fcm 

A de 

fAwint0-01 
Ewinto-02 
Fwin10-03 
E’win10-04 
Fwinto-LtsB 

Fawin7 


Type 


Start of Authority (SOA) 
Name Server (NS) 
Host (A) 

Host (A) 

Host (A) 

Host (A) 

Host (A) 

Host (A) 

Host (A) 

Host (A) 

Host (A) 


Data 


[435], dc.corp.contoso.co... 
dc.corp.contoso.com. 
192.168.1.11 
192.168.1.13 
192.168.1.11 
192.168.1.15 
192.168.1.16 
192.168.1.17 
192.168.1.18 
192.168,1.19 
192.168.1.20 


e Recommendations 


Task Tier 0 admins 


Make backups of DNS, but ensure that there is also an offline backup of it. Since these are just 
TXT files. It is easy to backup it quickly. 


The only thing that you need to do is create a procedure for making offline backups of DNS and a 
plan for restoring it. It is recommended to practice this procedure as well, but that's up to you. 


in| C:\Windows\System32\dns vI& Search dns 


A 


t «* Name Date modified Type 
|| backup 24/2020 12:09AM File folder 
le in} samples 


18/2017 11:34AM File folder 
0 1:54AM DNS File 


l 
_| _msdcs.corp.contoso.com.dns 1 
: (E:) =| _msdcs.corp.contoso.com 24/202 
| cache.dns 18/2017 11:54 AM DNS File 
1 


corp.contoso.com.dns 8/2017 11:54AM DNSFile 


Text Document 


| corp.contoso.com 


ts | dns {24/2020 12:09 AM —_— Text Document 


Make sure that the DNS configuration is stored on an offline server (without internet connection) 
and is not joined to Active Directory. 


In other words, those two TXT files that have been marked red, needs to be stored on a server 
that is not joined Active Directory. Again, repeat after me. "'l will store those two TXT files ona 
server that does not contain any connection with AD" 


e 1.4- Backups of PKI (AD CS) 


Tier 0 admins 


Task 


e Summary 


Certificate Authorities are important as well, but it depends more on the purpose where PK| is 
used. In most organizations, | have seen so far. It is use for protecting client data. 


e Log on the CA server 
e Open Certificate Authority 


ia! certsry - [Certification Authority (Local)\Contoso Corp CA] 
File Action View Help 
#o9\f\8 Gis|H|>s 


ig Certification Authority (Local) eae 


‘ai ace a = J Revoked Certificates 
Revoked Certificates are 
(4) Issued Certificates cilia oink 


) Pending Requests 
Failed Requests 
) Certificate Templates 


Failed Requests 
Certificate Templates 


Make a backup of CA and make sure to select both checkmarks 
Choose a backup location and store it over there. 


Select the items you wish to back up: 
IV Private key and CA certificate 


|¥ Certificate database and certificate database log 
a 


Back up to this location: 


[ew 


Note: The backup directory must be empty. 


Now pick a strong password and click next to finish it. 


ya 


Completing the Certification 
Authority Backup Wizard 


You have successfully completed the Certification Authority 
Backup wizard. 

You have selected the following settings: 

Private Key and CA Certificate 
Issued Log and Pending Requests 


To close this wizard and begin backup, click Finish. 


Other important thing we need to backup is the CA settings hat is stored in the following registry 
key: HKLM\System\CurrentControlSet\Services\CertSVc\Configuration\ 


| > Configure Ler s ers REG_DWORD 0x00006003 (24579) 
| Ll Performa,  xpand REG_DWORD 0x00070001 (458753) 
| || Security New > REG_SZ DC.corp.contoso.com 
> -| | chtdisesi Find... REG_SZ Contoso Corp CA 

{| cht4vbd REG_DWORD 0x00000000 (0) 

| > -(j curs ee 

Poy -| | Clipsvc Rename 
= Ld clr_optimizati 
Ec optirnzat Eat 
rt G clr_optimizati Permissions... 
“Ld choptimizat! Copy Key Name 

4 > < 


omputer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\ Configuration 


| decided to store everything in the C:\Temp directory and it will look like this. 


icatemp 


“~ 


is # Name Date modified 

= 7 |) DataBase 1/24/2020 2:21 AM 
af i) CA settings 1/24/2020 2:24 AM 

le i.) Contoso Corp CA 1/24/2020 2:21 AM 


e Now!am going to restore a Certificate Authority 


Select the items you want to restore: 


|¥ Private key and CA certificate 
IV Certificate database and certificate database log 


Restore from this location: 


a 


Note: For incremental restores, first select the full backup file and complete the wizard. 
Then re-tun the wizard, selecting subsequent incremental backup files. 


e Type the password that you have used for your back-ups 


This password is required to gain access to the private key and the CA certificate file. 


Password: 


Pn 


To maintain private key security, do not share your password. 


e Click next and then finish it. 


e Recommendations 


Make backups of PKI and store all the configuration data on an offline server that is not joined to 
Active Directory. 


Attackers are going after back-ups as well, but | assume everybody is aware of that. Backups are 
important, so do not forget it. Also, do not forget to make an export of the CA setting registry 
key. 


In other words, all of the configuration data that we just stored in the C:\Temp folder. Needs to 
be stored on an offline server that is again, not joined to Active Directory. Nevertheless, do not 
forget the password of the backup. 


icMtemp 


A 


Is o Name Date modified 
= | | DataBase 1/24/2020 2:21 AM 
ie] CA settings 1/24/2020 2:24 AM 


le 5") Contoso Corp CA (24/2020 2:21 AM 


e 2.1-— Hardening settings for Domain Controllers 


Task 


Tier 0 admins 


e Summary 


Default settings of Domain Controllers are not that great. Every DC has by default the "Default 
Domain Controllers Policy" in place, but this GPO creates different escalation paths to Domain 
Admin if you have any members in Backup Operators or Server Operators for example. They can 


become Domain Admin. 


Start with replacing the "Default Domain Controllers Policy" and replace it with a new GPO that 


is more security focused. 


e User Right Assignment 


Access this computer from the network 


Administrators, Authenticated Users, ENTER- 
PRISE DOMAIN CONTROLLERS 


Add workstations to a domain 


Administrators 


Allow log on locally 


Administrators, Backup Operators 


Backup files and directories 


Administrators, Backup Operators 


Change the system time 


LOCAL SERVICE, Administrators 


Debug Programs 


Administrators 


Deny access to this computer from the net- Guests 
work 
Deny log on through Remote Desktop Services | Guests 


Enable computer and user accounts to be 
trusted for delegation 


Administrators 


Force shutdown from remote system 


Administrators 


Load and unload device drivers 


Administrators 


Restore files and directories 


Administrators, Backup Operators 


Shutdown the system 


Administrators 


Take ownership of files and objects 


Administrators 


NOTE: Remove Backup Operators if it is not in use. 


e Security Options 


Devices: Prevent users from installing printer | Enabled 
drivers 


Domain Controller: Allow server operator to Disabled 
schedule tasks 


Network access: Do not allow anonymous Enabled 
enumeration of SAM accounts 
Network access: Do not allow anonymous Enabled 


enumeration of SAM accounts and shares 


Network security: LAN Manager authentica- Send NTLMv2 response only. Refuse LM & 
tion level NTLM 


The setting that has been marked in RED needs more attention, because it can break things, 
which means that it needs to be tested very well, before deploying it in production. 


There are two NTLM audit settings that needs to be enabled to track down the use of NTLM 


Network security: Restrict NTLM: Audit In- Enable auditing for domain accounts 
coming NTLM Traffic 


Network security: Restrict NTLM: Audit NTM Enable all 
authentication in this domain 


Event 4624 with data fields like "Authentication Package" and ''Package name (NTLM only)" 
needs to be filtered. 


If you see something like NTLMV1 at Package Name. It shows you that there is an application still 
using NTLMv1. Disabling NTLM immediately can have break an application. Make sure this is 
tested properly. 


Detailed Authentication information 
Logon Process NtimSsp 
Authentication Package: NTLM 
Transited Services . 


Package Name (NTLM only) NTLM V1 
Key Length 28 


~~ 


_" 


e Recommendation 


Configure all those recommended settings, but keep a sharp eye on the "LAN Manager Authenti- 
cation level" — It is recommended to use Send NTLMv2 response only and refusing LM & NTLM, 
but to test this properly. 


Start the following test phase: 


e Enable the two NTLM auditing policies and start monitoring to see if there are applica- 
tions using NTLMv1. If you are confident that there are no legacy apps anymore. 

e Start changing the policy to: "Send NTLMv2 response only and Refuse LM" 

e Now keep monitoring and if you are confident to make the step 

e Change the policy to: "Send NTLMv2 response only. Refuse LM & NTLM" 


e 2.2 — Disabling unnecessary services on Domain Controller 


Summary: 


By default, there are unnecessary services enabled on a Domain Controller. It is a best practice to 
disable unnecessary services to improve the performance of a DC. There is even a service 
enabled by default on a DC that can be used in an escalation path to compromise Active 
Directory. 


e Disable the following services 


Xbox Live Auth Manager Stop 
Xbox Live Game Save Stop 
Print Spooler Stop 


e 2.3 —- Auditing the last backup of the Domain Controllers 


Summary: 


Making back-ups of Domain Controllers is the most critical part of Active Directory security, but 
most organizations do not perform periodically audits to see if back-ups are really in place and 
stored securely. We'll get later to the "store securely" part. 


There are different backup solutions in the market to help organizations do their AD/DC backups, 
but since ADSA is not here to pitch a vendor. We will rely on the Windows Server Backup that is 
free for everybody. It is far from perfect, but it is at least something. 


Every time when a backup has been scheduled. An scheduled task will be made and created 
under the location: \Microsoft\Windows\Backup with the name "Microsoft-Windows-Win- 
dowsBackup" 


@ Task Scheduler (Local) A 
v (% Task Scheduler Library 
v © Microsoft 
v Windows 
-NET Frame 
) Active Direc 
ApplD 
(aad Application 
) Application 
AppxDeploy 
Autochk General Triggers Actions Conditions Settings History 


Backup Name: | Microsoft-Windows-WindowsBackup - 
__| Bluetooth ‘ 


Gl CertificateS Location: | \Microsoft\Windows\Backup 
1) Chkdsk Author: CORP\DCS 


Name Status Triggers Next Run Time 


At 9:00 PM every day 1/25/2020 9:00:00 P| 


All the backup event logs are located under Microsoft-Windows-WindowsBackup\Operational 


{2 Event Properties - Event 1, Backup 
General Details 


The backup operation has started. 


Log Name: Microsoft-Windows-Backup/Operational 


Source: Backup Logged: 1/25/2020 12:41:09 AM 
Event ID: 1 Task Category: None 
Level: Information Keywords: 


e Recommendation 


Windows Server Backup provides information about backups. Like for example. If a backup was 
successful or perhaps it failed. Are you aware when a backup has failed? 


Here we can see that a backup has failed, but do you get any alerts in your SIEM solution that 
rings bells? 


Messages (Activity from last week, double click on the message to see details) 


Time Message Description 
@ 1/25/2020 1:03 AM Backup Successful 
€ 1/25/2020 12:41 AM Backup Failed 
Status 
Last Backup 


Next Backup 


Status: @ Successful Status: Scheduled 
Time: 1/25/2020 1:03 AM Time: 1/25/2020 9:00 PM 


All the backup event logs are stored under the location: Microsoft-Windows-Backups\Opera- 
tional 


Event Properties - Event 5, Backup 


General Details 


The backup operation that started at '2020-01-25T08:41:09.721572400Z' has failed with following 
error code '0x80780049' (None of the items included in backup were backed up.). Please review the 
event details for a solution, and then rerun the backup operation once the issue is resolved. 


Log Name: Microsoft-Windows-Backup/Operational 
Source: Backup Logged: 1/25/2020 12:59:43 AM 
Event ID: 5 


Task Category: None 


Level: Error Keywords: 


e Recommendation 2 


Offline back-ups are very important. In many ransomware attacks, attackers have been 
leveraging to backup servers as well. Sure, back-ups have been created, but they were all hang- 
ing in the same Windows domain. 


After the backup schedule has been finished. A directory folder will be made with the name 
"WindowsImageBackup" and it stores all the back-up data. 


Ensure that you have a back-up, stored offline, and the server should not being a part of Active 
Directory. Do not store your backups on 


(4 D:\WindowslmageBackup\DC ARS, 


is s Name Date modified Type 
- "| Backup 2020-01-25 090304 1/25/2020 1:05AM ___ File folder 
ie Catalog 1/25/2020 1:05 AM File folder 
le Logs 1/25/2020 1:05AM File folder 
__, SPPMetadataCache 1/25/2020 1:05AM File folder 

Mediald 1/25/2020 1:03 AM File 


: (E:) 


The second important part is to monitor event logs of Backups. All the event logs that are related 
to Backups are located under Microsoft-Windows-Backup\Operational 


Event ID Description 

4 The backup operation has finished success- 
fully 

5 The backup operation that started at <XYZ> 
has failed. 


e 2.4-— Restore backup of DC 


Summary: 


Making back-ups is one thing, but restoring is the second part. When Active Directory is down. 
Most organizations won't be able to go further with their business, but without doing anything. 
All the problems will still be there. 


A restore plan needs to be in the place to restore Active Directory. Every organization should 
have a restore plan, but it is difficult to judge for others on how you should develop a restore 
plan, because there might be companies using third party tools to do it for them. 


Here are a few tips: 
e DSRM or known as Directory Services Restore Mode is the break-glass account for 


Domain Controllers. This account should be used in disaster recovery scenarios 
e Credentials of DSRM needs to be stored securely and only being access able for the right 


people. 
e Offline back-ups of AD/DC should always be up and running, so you can restore them 
ASAP. 
Practice it: 


e Create atest environment in Azure for example 
e Make sure you or your team has practice this restore plan "hands-on" or otherwise you 
would struggle a lot. 


e 2.5— Rotating the password of KRBTGT account 


Summary: 


A procedure for rotating the password of KRBTGT needs to be in place. KRBTGT is the security 
principal for the KDC. The KDC encrypts a user's TGT with the key it derives from the password of 
the KRBTGT account. In other words. KDC encrypts a user's TGT with the NT hash of the KRBTGT 
account. 


An attacker that manages to get the NT hash of the KRBTGT account can create "Golden Tickets" 
to impersonate every user in the domain, but this requires Domain Admin or equivalent. 


Best practice is to reset the password twice of the KRBTGT account every half year. 


| Active Directory Users and Computers 


File Action View Help 
eo\fm\ ¢O|\XORsB\ER|teaarae 


[ Active Directory Users and Computers [DC1.contos«| Name Type Description 
1) Saved Queries 
¥ i contoso.com 
©) Builtin 
(4) Computers 
Domain Controllers 
) ForeignSecurityPrincipals 
© Keys 


& Administrator User 

& Allowed RO... Security Group.. 
&% Cert Publish... Security Group. 
&% Cloneable D... Security Group.. 
)DefaultAcco... User Enable Account 
§% Denied ROD... Security Group.. Reset Password... 


Copy... 
Add to a group... 
Name Mappings... 


©) LostAndFound 8% DnsAdmins Security Group.. Move... 
(9) Managed Service Accounts BB, DnsUpdateP... Security Group... Open Home Page 


(5) Program Data 8% Domain Ad... Security Group.. Send Mail 
©) System 8% Domain Co... Security Group. 
) Users 8% Domain Con... Security Group. 
1 NTDS Quotas 8% Domain Gue... Security Group.. All Tasks 
>) TPM Devices §% Domain Users Security Group. 

Enterprise A... Security Group.. on 

2 Enterprise K... Security Group.. Delete 

MB Enterprise R... Security Group.. Rename 

&%, Group Polic... Security Group.. 

2 Guest User 

BB Key Admins — Security Group.. Help 

Key Distribution Center 


_> || B& Protected Us... Security Group... _Members of this aroup ... 


Find... 


Properties 


Displays Help for the current selection. 


e Recommendation 


Start with resetting the password of the KRBTGT twice every half year, but keep in mind that you 
don't reset the password rapidly or otherwise Kerberos services might break. 


PS C:\Users\Mark> krbtgt passwordlastset 


DistinguishedName : CN=krbtgt,CN=Users,DC=corp,DC=contoso,DC=com 
: False 


krbtgt 
user 
de2aic70-e8f1-4fb0-a720-32627866a213 
1/18/2017 11:57:58 AM 
krbtgt 
S-1-5-21-3566662483-264877133 
Surname 
UserPrincipalName 


e Reset the password of the KRBTGT, but don't do it rapidly. Make sure you reset the 
password once, and wait. Wait until you can do the second reset. Usually it is around 10- 
24 hours, before you can do the second reset. 

e Here is a script that can be used for validation to see if all DC's has replicated to each 


other. https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51 


e 2.6-— Rotate the password of the DSRM account 


Summary: 


DSRM is like the break-glass account of Domain Controllers. You have to define a password for 
the account, when you are promoting a member server to a DC. DSRM is like the ''Local Adminis- 
trator" on a DC. Password of the DSRM account is rarely changed, and it is a best practice to ro- 
tate this password. 


PPTTTity 


e Log onthe Domain Controller 
e Run CMD with elevated rights 
e Reset the password of the DSRM account 


Ntdsutil 

Set DSRM password 

Reset password on Server DC — "DC" is the server name 

Type the new password of the DSRM and press enter 

Re-type the password of DSRM to change the password and press enter 
Type quit and press enter 

Type quit again and press enter 


e Recommendation 


A procedure needs to be in place to reset the password of the DSRM account. It is recommended 
to rotate the password of the DSRM account every half year or year. 


Besides, of rotating the password of the DSRM account. It needs to be stored securely as well 
with limiting access to the password. Something like a Password Manager is a good begin. 


Last, but not least. Monitor event log "4794" as it notifies, when someone is resetting the 
password of the DSRM account. 


Event 4794, Microsoft Windows security auditing. 


General Details 


An attempt was made to set the Directory Services Restore Mode 
administrator password. 


Subject: 
Security ID: CORP\Mark 
Account Name: Mark 
Account Domain: CORP 
Logon ID: 0x16376C 


Additional Information: 
Caller Workstation: DC 
Status Code: 0x0 


e 2.7-—I\Improve auditing rules 


Summary: 
Domain Controllers are crucial servers and solid auditing needs to be in place to track different 
changes. Default audit policies are not enough to have a (better) visibility in tracking potential 


malicious behaviour. 


Logging is important, but if you don't know what to log. It can become difficult. Good news is 
that, Windows Security Baseline has provided some guidance around auditing policies. 


All rights reserved. 


PS C:\windows\system32> 
System audit policy 
Category/Subcategory 
System 
Security System Extension 
System Integrity 
IPsec Driver 
Other em Events 


Security State Change 


Logon/LogottT 
Logon 
Logoff 
Account Lockout 
IPsec Main Mode 
IPsec Quick Mode 
IPsec Extended Mode 
Special Logon 
Other Logon/Logoff Events 
Network Policy Server 
User Device Claims 
Group Membership 


get 


category :* 
Setting 


No Auditing 
Success and 
No Auditing 
Succ and 
Success 


Success and 
Succ 
Success 

No Auditing 
No Auditing 
No Auditing 
Success 

No Auditing 
Success and 
No Auditing 
No Auditing 


Failure 


Failure 


Failure 


Failure 


e Recommendation 


Default auditing policies of the Domain Controller is not enough. It gives limited visibility in 
changes that are made. Windows Security Baseline has solid advice for configuring audit policies 


of DC's. 


The following audit policies are recommended to configure for Domain Controllers. 
Start with creating a GPO and configure the following "advanced" audit policies: 


Advanced Audit Policies 


Policy Path 


Policy Setting 


Configured setting 


Account Logon 


Audit Credential Validation 


Failure 


Account Logon 


Audit Kerberos Authentica- 
tion Service 


Success and Failure 


agement 


Audit Logon Audit Kerberos Service Ticket | Failure 
Operations 

Account Management Audit Computer Account Success 
Management 

Account Management Audit Other Account Manage- | Success 
ment 

Account Management Audit Security Group Man- Success 


Account Management 


Audit User Account Manage- 
ment 


Success and Failure 


Detailed Tracking Audit PNP Activity Success 
Detailed Tracking Audit Process Creation Success 
DS Access Audit Directory Services Ac- Failure 
cess 
DS Access Audit Directory Service Success 
Changes 
Logon/Logoff Audit Account Lockout Failure 
Logon/Logoff Audit Group Membership Success 
Logon/Logoff Audit Logon Success and Failure 
Logon/Logoff Audit Other Logon/Logoff Success and Failure 
Events 
Logon/Logoff Audit Special Logon Success 
Object Access Audit Detailed File Share Failure 
Object Access Audit File Share Success and Failure 
Object Access Audit Other Object Access Success and Failure 


Object Access 


Audit Removable Storage 


Success and Failure 


Policy Path 


Policy Setting 


Configured Setting 


Policy Change 


Audit Policy Change 


Success 


Policy Change Audit Authentication Policy Success 
Change 

Policy Change Audit MPSSVC Rule-Level Pol- | Success and Failure 
icy Change 


Policy Change 


Audit Other Policy Change 
Events 


Failure 


Privilege Use 


Audit Sensitive Privilege Use 


Success and Failure 


System Audit Other System Events Success and Failure 
System Audit Security State Change Success 
System Audit Security System Exten- | Success 
sion 
System Audit System Integrity Success and Failure 


A list of recommended security event logs can be find at 10.5 


e 3.1— Running periodically AD ACL Scans 


Summary: 


A former Microsoft PFE made a great tool to scan all the different ACL's in an environment. 
ACL/ACE's are often set by admins for temporary tasks, but they are never revoked again. Which 
means that all of these ACLs are staying for years in an environment, which creates multiple 


escalation paths for attackers as well. 


There are many tools on the internet, where attackers are mapping out an entire environment to 
discover different escalation paths through ACLs. This tool can be used as a low user without 


admin rights. 


e Start with using AD ACL Scanner to get an overview of all the ACLs in an environment 


e ADACLScanner: https://github.com/canix1/ADACLScanner 


% AD ACL Scanner 


come 
@) Domain Scan Options | Additional Options | Default SD 
Caner oe 
(©) DACL (Access) _) SACL (Audit) 
Naming Context: i RAW SDDL 
rootDSE Scan Deptt 
Connect © Base © One Level © Subtree 
Browse Options = Objects to scan 
(@) OU's ©) All Objects Show Deleted @ous O O All Obj 
O) (objectClass=") 
> Nodes View in report 
I et] DC=corp,DC=contoso,DC=com View Owner (_] DACL Size 
Inherited (_] Inheritance 
Skip Default [_] SD Modified date 
Permissions 
Skip Protected (_] Object Class 
Permissions 
(_] Canonical Name 
Output Options 
@ HTML O CSV file 


Reference: 


Compare Filter | Effective Rights | Assessment 


Enable Compare 
You can compare the current state with 
@ previously created CSV file. 


CSV Template File 


Return; ALL 


Use nodes from template. 
Faster compare using USNs of the 
NTSecurityDescriptor. This requires that your 
template to contain USNs.Requires SD Modified 
date selected when creating the template. 
Replace DN in file with current domain DN. 
E.g. DC=contoso,DC=com 
Type the old DN to be replaced: 


Replace principals prefixed domain name with 
current domain. E.g. CONTOSO 
Type the old NETBIOS name to be replaced: 


e Recommendation 1 


Start with running ACL scans on objects in Active Directory. In this screenshot. | am now doing an 
ACL scan on the Domain Object or known as the Domain Naming Context. 


1) Domain Controllers 
& ForeignSecurityPrincipals 


iat ston . & +. 


| DC=corp,DC=contoso,DC=com 


After the scan has been finished. A report will be made to display all the ACLs that has been set 
on the Domain Object. 


e Recommendation 2 


Now instead of scanning ACLs on the Domain Object. We are now going to scan for ACLs on an 
OU, which is in this example. The OU "Users" 


All the results can be exported in CSV files for later use and | recommend running periodically 
ACL scans to find potential misconfigurations. 


e Recommendation 3 


Understanding the permissions that can be abused by an attacker is something to be aware of. 
This list of examples will give you a better understanding on how it can be used by an attacker. 


GenericAll Full control Full control on an object with 
the likes of a user or group 


e Take-over the account 
by resetting password 

e Add yourself toa 
group 


GenericWrite Write all properties Write permissions on an ob- 
ject with the likes of a user or 


group 


e Setan SPN and disable 
Pre authentication for 
an account 

e Add yourself to a 


group 


WriteDacl Modify permission Modify permission on an ob- 
ject with the likes of a user or 


group 


e Assign yourself Full 
control on an object 
and take over the ac- 
count or group 


WriteOwner Modify owner Modify owner on an object 
with the likes of a user or 


group 


e Take ownership rights 
of a user or group and 
own the user or group 


AllExtendedRights 


All extended rights 


e Reset password of 


user 

e Replicate Directory 
Changes 

e Replicate Directory 
Changes All 


Never delegate AllExtend- 
edRights or equivalent on the 
Domain Object. Only service 
accounts that synchronize 
passwords should have Repli- 
cation permissions with the 
likes of Azure AD Connect for 
example. 


Write gpLink Write gpLink e Ability to link a GPO to 
an OU 

Write Members Write Members e Add yourself to a 
group 

Write userAccountControl Write userAccountControl e Disable Pre-auth for 
accounts 

Write account restrictions Write account restrictions e Includes userAc- 
countControl 

e Disable Pre-auth for 

accounts 


Write servicePrincipalName 


Write servicePrincipalName 


e Write an SPN for an 
account to request a 
ST and crack it offline 


Write msDs-AllowedToAc- 
tOnBehalfOfOtherldentity 


Write msDS-AllowedToAc- 
tOnBehalfOfOtherldentity 


e Acton behalf of other 
identities to services. 

e Write msDS-AI- 
lowedToActOnBe- 
halfOfOtherldentity 
on Computer Objects 
can be used for Re- 
source Based Con- 
strained Delegation 
attacks 


e 3.2 — Manage ACEs set on OU=Domain Controllers 


Summary: 


ACLs that has been set on the OU of Domain Controllers is a risk, because if an attacker is able to 
link an arbitrary GPO or disable a GPO. It can weak the security of the Domain Controllers. 


This is an example, where Paul West has "Write all properties" permissions on the OU of the 
Domain Controllers. Paul West can unlink the GPOs that are linked to the OU of the Domain Con- 
trollers to weak the security of the DC's. 


e Do NOT delegate permissions on the OU of the Domain Controllers 
e Look if permissions has been delegated on the OU of the Domain Controllers and remove 
them ASAP! 


| Advanced Security Settings for Domain Controllers Oo 


Owner: Domain Admins (CORP\Domain Admins) Change 
Permissions Auditing Effective Access 


Effective Access allows you to view the effective permissions for a user, group, or device account. If the account is a member of a 
domain, you can also evaluate the impact of potential additions to the security token for the account. When you evaluate the impact 
of adding a group, any group that the intended group is a member of must be added separately. 


User/Group: | Paul West (paul@corp.contoso.com) | Select a user 


View effective access 
Effective access Permission Access limited by 
x Full control Object permissions 
wf List contents 
xv Read all properties 


wf Write all properties 
x Delete Object permissions 
x Delete subtree Object permissions 


e 3.3 — Manage ACEs on Domain Controller Computer Objects 


Summary: 


Users with 'GenericAll" or equivalent on the DC Computer Objects can perform a Resource 
Based Constrained Delegation attack to get code execution on the Domain Controller. For more 
information to see how this attack path works. Check out https://identityaccess.manage- 


ment/2020/01/17/attacking-active-directory-for-fun-and-profit/ 


If a user has, the rights to write to the property "ms-DS-Allowed-To-Act-On-Behalf-Of-Other- 
Identity" on the DC computer object. It can act on behalf of that service, which is the DC in this 
example. This gives an attacker the ability to move laterally to the DC and get code execution on 
it. 


Here is an example where we have a user that has "Full control" permission on the DC computer 
object. | have seen this many times, never don't do this. Attackers can now get code executions 
on the DC if you do this. 


e Check for all ACLs that has been set on all the DC Computer Objects and if you discover 
something like this example. Remove it ASAP. There is no reason to delegate permissions 
on Computer Objects. 


| DC Properties | ? x 


General Operating System Member Of Delegation Location 
Managed By Object Secunty Dial4n Attribute Editor 


Group or user names: 


§2% CREATOR OWNER A 
82 SELF 

§2 Authenticated Users 

S2 SYSTEM 


a Amy Rusko (amy@corp.contoso.com) 
84, Domain Admins (CORP\Domain Admins) 
§& Cert Publishers (CORP\Cert Publishers) 


ae - . ed 


Permissions for Amy Rusko 


Full control 
Read 
Write 
Create all child objects 
Delete all child objects 
Allowed to authenticate 
|_Channoe nassword 


SISISTSTSTSSIE 
booooools g 
> 


< 


e 3.4— Manage ACEs of users that are part of Domain Admins or 
equivalent 


Summary: 
Wrong delegated permissions set on users that are part of Domain Admins is a huge risk, 
because it means that certain users or groups might be able to take-over an account and become 


Domain Admin. 


Here is an example where we have three users in Domain Admins. 


distinguishedName : CN=Administrator ,CN=Users ,DC=corp, DC=contoso, DC=com 


name 
objectClass 
ectGUID 
AccountName 
) 35 -1709913503-500 


e : CN=Mark Hassall ,OU=Users ,OU=Accounts , DC=corp, DC=contoso,DC=com 
k Has 7 
432fb-336b-4a7b-b3cd-9f6Ffb4b2a9c 
B-5~-21-3566662483-2668771335-1700013503-1203 
: CN=Peter Houston ,OU=Users ,OU=Accounts , DC=corp,DC=contoso,DC=com 


: Peter Houston 
: user 


SamAccountName : Peter 
SID : S-1-5-21-3566662483-264877 


Now when looking at all the ACLs that is set on Peter Houston. There is a group called 
"Engineering" that has "Full control" permissions on the user Peter Houston. 


Everyone from "Engineering" can now take-over the account of Peter by resetting his password. 


| Advanced Security Settings for Peter Houston Oo 


Owner: Domain Admins (CORP\Domain Admins) Change 
Permissions Auditing Effective Access 


For additional information, double-click a permission entry. To modify a permission entry, select the entry and click Edit (if available). 


Permission entries: 


Type Principal Access Inherited from Applies to 

S2 Allow Everyone Change password None This object only 
82 Allow SELF Change password None This object only 
82 Allow SELF Special None This object and all descendan... 
&% Allow Domain Admins (CORP\Do... Special None This object only 
52 Allow Enterprise Admins (CORP\En... Special None This object onl 
&% Allow — Engineering (CORP\Engineer... Full control This object only 

2 Allow —Pre-Windows 2000 Compatib... Special None This object only 
82 Allow Administrators (CORP\Admi... Special None This object only 


Remove all the delegated permissions that has been set on all the users in Administrators, Do- 
main Admins, Enterprise Admins, etc. They don't need it. 


e 3.5—Manage ACEs that has been set on AD groups like Domain 
Admins or equivalent 


Summary: 


AD ACL Scanner can automate this of course, but a quick check is to look, what kind of ACLs that 
has been on groups like Administrators, Domain Admins and Enterprise Admins. 


If an ACL has been delegated on one of these groups, it creates escalation paths for attackers to 
escalate their privileges to a Domain Admin for example. 


Here is an example, where Domain Users has "Write all properties'' on the Domain Admins, 
group. Allowing everyone to make themselves a Domain Admin. 


e Remove delegated users or groups from Administrators, Domain Admins, Enterprise Ad- 
mins and equivalent. This creates different escalation paths to Domain Admin. 


Domain Admins Properties 


Group or user names: 
$2 SELF A 
82. Authenticated Users 
§2 SYSTEM 
82 Domain Admins (CORP\Domain Admins) 


Domain Users (CORP\Domain Users) 


§2 Cert Publishers (CORP\Cert Publishers) v 


Permissions for Domain Users 


Full control 

Read 

Write 

Create all child objects 
Delete all child objects 


IOONNO e 


For special permissions or advanced settings, click 
Advanced. 


e 3.6— Manage ACEs that has been set on the DNS Object 


Summary: 


By default, Domain Controllers are DNS servers. Security Researchers have discovered a way to 
execute a DLL as SYSTEM on the DC to escalate privileges to a Domain Admin. 


Since DnsAdmins has by default "Full control" permission on the DNS Object. Everyone from 
DnsAdmins can become a Domain Admin. 


Here is an example, where the group Sales has "Write all properties" permission on the DNS 
Object, which allows everyone from Sales executing a DLL as SYSTEM on the DC and escalate 
their privileges to a Domain Admin. 


e Users or groups with "Full control" or "Write all properties" is unnecessary, because no- 
body needs that amount of rights. It is rarely that someone needs full admin rights on 
DNS Management. Read permissions on the DNS Object is enough to create DNS records, 
since ''Authenticated Users" have "Create all child objects" on the FWLZ 

e Remove users or groups that have been delegated on the DNS object with "Full control" 
or "Write all properties" permission. 


File Action View Help DC Properties ? x 


—- 
pas 7B x ae Interfaces Forwarders Advanced Root Hints 
$, DNS Debug Logging Event Logging Monitoring Security 
v 
|) Forward Lookup Zones 
() Reverse Lookup Zones 
(>) Conditional Forwarders 


Group or user names: 


| $2 SYSTEM A| 
§2 DnsAdmins (CORP\DnsAdmins) 


Sales (CORP\Sales) 


82 Domain Admins (CORP\Domain Admins) 
S22 Enterprise Admins (CORP\Enterprise Admins) 
| BB Key Admins (CORP\Key Admins) 


Add... Remove 

Permissions for Sales Allow Deny 

Full control O O ia 

Read O 

Write CJ 

Create all child objects CT] Cc] 

Delete all child objects CT] cE] & 
For special permissions or advanced settings, click Advanced 


Advanced. 


e 3.7-— Manage ACEs that has been set on GPOs linked to Domain 
Controllers 


Summary: 


GPOs that are linked to the Domain Controller contains different settings. All of the GPOs that 
are linked to the Domain Controller needs to be managed from a Tier 0. Do not delegate 
permissions on these GPOs, because everyone who can edit these GPOs can become a Domain 
Admin. 


Here is an example, where a GPO called "Group Policy 3" is linked to the OU of the Domain Con- 
trollers, but permissions has been delegated. Engineering has full rights and Paul can edit the 
GPO, which means that everyone from Engineering and Paul can become Domain Admin. 


e Revoke the delegated permissions on GPOs that are linked to the Domain Controller. All 
of these GPOs needs to be managed from a Tier 0. 


|, Group Policy Management ||Group Policy 3 
v A Forest: corp.contoso.com Scope Details Settings Delegation 
v | Domains 
v i corp.contoso.com These groups and users have the specified permission for this GPO 
si, Default Domain Policy Groups and users: ee 
mf Internet Explorer Zone Settings Name . Allowed Permissions 
a, Remote Desktop Access G2, Authenticated Users Read from Security Filtering) 
x) Windows PowerShell Execution Policy | §2, Domain Admins (CORP\Domain Admins Edit settings, delete, modify secu 
3 Account 
v 1B) Domain Controllers 42, Enterprise Admins (CORP\Enterprise Admins) Edit settings, delete, modify security 
=, Default Domain Controllers Policy | &%, ENTERPRISE DOMAIN CONTROLLERS Read 
xi) Group Policy 2 a8, SYSTEM Edit settings, delete, modify security 


= Group Policy Objects 


e 3.8— Manage ACEs that has been set on the Domain Object 


Summary: 


Delegating rights on the Domain Object is not something you should consider, because it creates 
different escalation paths to Domain Admin. | do see it a lot though, where admins decides to 
delegate rights on the Domain Object by assigning users or groups ''Full control" permissions, be- 
cause it makes the job "easier" 


Users with '"GenericAll" or equivalent can replicate secrets from the Domain Controller and ob- 
tain credentials for every user in AD with the likes of the Administrator account. 


This is an example that many organizations have in their environment, which are the default, 
Exchange groups with wide permissions in AD. This group or known as Exchange Trusted Subsys- 
tem has "Modify" permissions right on the Domain Object and is a member of the group 
"Exchange Windows Permissions" 


e Exchange Trusted Subsystem and Exchange Windows Permissions don't need to have 
modify permissions on the Domain Object. 

e If you remove "Modify permission" from Exchange Trusted Subsystem. A small function- 
ality will break in the Exchange Management Console, which is assigning ''Send as" per- 
missions to users. This can of be delegated to resolve the problem 

e Look if other users and groups have been delegated on the Domain Object and try to see 
if you can remove them and find another way. 


| ) Advanced Security Settings for corp Oo 


na 


Owner: Administrators (CORP\Administrators) Change 
Permissions Auditing Effective Access 


For additional information, double-click a permission entry. To modify a permission entry, select the entry and click Edit (if available). 


Permission entries: 


Type Principal Access Inherited from Applies to = 
82 Deny — Everyone Delete all child objects None This object only 
8% Allow  Cloneable Domain Controllers (.... Allow a DC to createa... None This object only 
&2 Allow — Enterprise Read-only Domain Co... Replicating Directory... None This object only 
8% Allow Domain Controllers (CORP\Dom... Replicating Directory... None This object only 
82 Allow Key Admins (CORP\Key Admins) None This object and all descendar 
82% Allow _ Enterprise Key Admins (CORP\E... None This object and all descendar 


8% Allow Exchange Trusted Subsystem (C... Modify permissions None Descendant Group objects 

S2 Allow CREATOR OWNER Validated write to com... None Descendant Computer object 
82 Allow SELF Validated write to com... None Descendant Computer object 
8% Allow ENTERPRISE DOMAIN CONTRO... None Descendant Computer objeci |, 


s . 


e 3.9-—Run BloodHound 


Summary: 


BloodHound can find all these ACL/ACEs paths much quicker than looking manually to it and it 
will probably discover more escalation paths. It is a great tool to discover wrong-delegated 
permissions in Active Directory. 


It looks something like this and | can recommend everybody to use it to secure their AD. 


Download BloodHoundAD: https://github.com/BloodHoundAD/BloodHound 


BloodHound \— Oe 
i T A K y o 
. “CERES HasSession 
4 
HasSession 
+ 
Q ExecuteDCOM © HasSession 5 HasSession 
® 
HasSession 
s Tea 
a 
About j 


A MemberOf D ExecuteDCOM co) HasSession MemberOf 
IT00174@TESTOAB EWE 


% 


Member Dy ExecuteDCOM HasSession - 
dom, id 
ITOOO02@TESTLAB.LECAL 8 


HasSession 


e 4.1- Enable Active Directory Recycle Bin 


Summary: 


Accidently deleting an object can be stressful, but good thing is that, there is something called 
Active Directory Recycle Bin. This feature is not enabled by default, but when enabled. It allows 
users to restore deleted objects. 


e Enable Active Directory Recycle Bin 
e Domain Admin or equivalent can enable it 
e Run PowerShell with elevated rights 


Enable-ADOptionalFeature 'Recycle Bin Feature’ -Scope ForestOrConfigurationSet —Target 
corp.contoso.com 


ForestOrConfigurationSet corp. cont 


perform 1s action? 
“Enable” target “Recycle Bin Feature”. 
[N] ] No to All [S] Suspend [7] Help (default is “Y"): 4 


e Check if Active Directory Recycle Bin is enabled 


Get-ADOptionalFeature “Recycle Bin Feature” | select-object name, EnabledScopes 


:\windows\system32> e ; name, EnabledScopes 


EnabledScopes 


Recycle Bin Feature {CN=Partitions ,CN=Configuration,DC=corp,DC=contoso,DC=com, CN=NTDS Settings ,CN=DC ,CN=Servers,CN=... 


e 4.2 - Delegate rights to restore deleted objects 


Summary: 


Restoring deleted objects requires Domain Admin by default, but this can be delegated to other 
groups, so DA is not required. Giving unnecessary permissions is a no-go. 


e Run PowerShell with elevated rights (DA is required) 


dsacls "CN=Deleted Objects, DC=corp,DC=contoso,DC=com" /takeownership 


PS C:\windows\system32> dsacls /takeownership 
Owner: CORP\Domain Admins 
roup: NT AUTHORITY\SYSTEM 


Access list: 
{This object is protected from inheriting permissions from the parent} 
Allow BUILTIN\Administrators SPECIAL ACCESS 
LIST CONTENTS 
READ PROPERTY 
Allow NT AUTHORITY\SYSTEM SPECIAL ACCESS 
DELETE 
READ PERMISSONS 
WRITE PERMISSIONS 
CHANGE OWNERSHIP 
CREATE CHILD 
DELETE CHILD 
LIST CONTENTS 
WRITE SELF 
WRITE PROPERTY 
READ PROPERTY 


he command completed successfully 
PS C:\windows\system32> 


| have a group in AD that is called "Tier1" — | want to delegate this group to have the permissions 
to restore deleted objects in Active Directory. 


e Run the following command 


dsacls "CN=Deleted Objects,DC=corp,DC=contoso,DC=com" /g CORP\ Tier1:LCRPWP 


PS C:\windows\system32> d Is /g CORP\Tier1:LCRPwP 
Dwner: CORP\Domain Admins 
rroup: NT AUTHORITY\SYSTEM 


Access list: 
This object is protected from inheriting permissions from the parent} 
Allow CORP\Tier1 SPECIAL ACCESS 
LIST CONTENTS 
WRITE PROPERTY 
READ PROPERTY 
Allow BUILTIN\Administrators SPECIAL ACCESS 
LIST CONTENTS 
READ PROPERTY 
Allow NT AUTHORITY\SYSTEM SPECIAL ACCESS 
DELETE 
READ PERMISSONS 
WRITE PERMISSIONS 
CHANGE OWNERSHIP 
CREATE CHILD 
DELETE CHILD 
LIST CONTENTS 
WRITE SELF 
WRITE PROPERTY 
READ PROPERTY 


he command completed successfully 
PS C:\windows\system32> _ 


Everyone that is a member of the "Tier1" group can now restore deleted objects. 


e 4.3—-Do not use legacy built-in groups in AD 


Summary: 


Legacy groups in AD were made in the year of 2003, when security was not a hot topic. Groups 
with the likes of Account Operators, Backup Operators, Server Operators and Print Operators 
have more rights than needed, and can escalate their privileges to a Domain Admin. 


For more information: https://identityaccess.management/2020/01/17/attacking-active-direc- 
tory-for-fun-and-profit/ 


If you have any members in those groups that have been mention. Try to find a way to keep this 


groups empty. Microsoft recommends keeping Account Operators empty, because it has wide 
permissions. 


Note By default, this built-in group has no members, and it can create and manage users and groups in the domain, including its 
own membership and that of the Server Operators group. This group is considered a service administrator group because it can 
modify Server Operators, which in turn can modify domain controller settings. As a best practice, leave the membership of this group 
empty, and do not use it for any delegated administration. This group cannot be renamed, deleted, or moved. 


Print Operators can be empty as well, because all the rights can be delegated for this group. Print 
Management itself is a part of RSAT. 

fe 

File Action View Help 


#9/4 53/8 


i Print Management 


| G8 Print Server Properties 


= Custom Filters Forms Ports Drivers Security Advanced 
All Printers (2) Group or user names: 
All Drivers (7) $2, Everyone 
Printers Not Ready (5) ALL APPLICATION PACKAGES 
@ Printers With Jobs §2 CREATOR OWNER 
v @ Print Servers SR Administrators (CORP\Administrators) 
v gj OC (local) 2% Server Operators (CORP\Server Operators) 
i) Drivers Print Operators (CORP\Print Operators) 
& Forms 
4 Ports 
os Peeatens Add... Remove 
mi Deployed Printers 
Permissions for Print Operators Allow Deny 
Print O 
Manage Printers O 
Manage Documents O 
View Server O 
Manage Server O 


Special permissions 


e 4.4- Enable SID Filtering 


Summary: 


SID Filtering is a topic that admins are familiar with when they have to deal with domain 
migration. When you setup a trust between domains or forest, SID filtering is enabled by default 
in Windows 2003 or higher. Microsoft introduced SID filtering to mitigate privilege escalation 
techniques. 


An attacker in a trusted domain can modify the SID history for a user, which could grant elevated 
privileges in the trusting domain. 


During an Active Directory migration. A SID History is used for migrated accounts in the trusted 
domain to get access to resources in that domain, but this only works. When SID Filtering is NOT 
enabled. This means that if users want to access in a trusted domain. SID Filtering needs to be 
disabled, and that is why attackers have been leveraging this attack vector. 


When SID filtering is enabled, the only SIDs that are used as part of a user’s token are from the 
trusted domain itself. SIDs from other trusting domains are not included. SID filtering makes 
things more secure 


This is an example when SID Filtering is enabled and we want to access the SQL database in a 
trusted domain. We can't. 


fle Edt Wew Project Debug Took Window Community Help 


peeoe Gd@ 4, 


| Connect» 37 SE Tas 


Canrot connect to vas03. 

Additional information: 

Ly Login failed. The login is from an untrusted domain and cannot be used with Windows authentcaton. 
(Microsoft SQL Server, Error: 18452) 


e Recommendation 


SID Filtering makes things more secure, but it can cause some problems with transitive trust. 


When enabling SID filtering. It requires a lot of planning and testing, before you can enable it, if 
you haven't done it yet. 


e Check if SID Filtering is enabled 


netdom trust contoso.com /domain:fabrikan.com /quarantine 


e Enable SID Filtering 


netdom trust <contoso.com> /Domain:<fabrikan.com> /Quarantine:Yes 


Contoso.com is the trusting domain in this example. 


Fabrikan.com is the trusted domain in this example. 


e 4.5—Remove SID History 


Summary: 
MITRE explains it like the following. 


"The Windows security identifier (SID) is a unique value that identifies a user or group account. An 
account can hold additional SIDs in the SID-History Active Directory attribute, allowing inter-oper- 
able account migration between domains 


Adversaries may use this mechanism for privilege escalation. With Domain Administrator (or 
equivalent) rights, harvested or well-known SID values may be inserted into SID-History to enable 
impersonation of arbitrary users/groups such as Enterprise Administrators. " 


e Here we can see a SIDHistory attribute from a user that has been migrated. 


Personal Virtual Desktop | COM+ Attribute Editor 
Attributes: 
objectSid $-1-5-21-1661861776-1935274072-3470736 
sIDHistory $-1-5-21-7053061 26-28581 68601 -2470318 


e Identify users with a SIDHistory value 


Get-aduser -filter * -properties sidhistory | Where sidhistory 


e Recommendations 


After you have enabled SID Filtering. It is recommended to clean the all the SIDHistory attributes 
in AD. 


e Clean-up SIDHistory 


Netdom trust contoso.com /domain:fabrikam.com /enablesidhistory:No 


Contoso.com is the trusting domain and fabrikam.com is the trusted domain. 


e 4.6-Tier 0 admins needs to be a member of the Protected Users, 
group 


Summary: 


Protected Users is a group that was introduced in Windows Server 2012 R2. The primary idea 
behind Protected Users is to prevent credentials from being abused when they log in. 


A best practice is to add your Tier 0 admins that manage the critical servers like Domain Control- 
lers, Azure AD Connect, ADFS, etc. In the Protected Users group of Active Directory. 


Protected Users Properties ? x 
Object Security Attribute Editor 
General Members Member Of Managed By 


Group name (pre-Windows 2000): Protected Users| 


Description: 'Members of this group are afforded additional protections] 
E-mail: | 
Group scope Group type 
ba stribut 


Notes: 


e 4.7-Tier 0 admins need to have the ''Account is sensitive and 
cannot be delegated" checkmark 


Summary: 


Account is sensitive and cannot be delegated, ensures that an account's credentials cannot be 


forwarded to other computers or services on the network that supports Unconstrained Delega- 
tion. 


e Ensure that Tier 0 admins have the "Account is sensitive and cannot be delegated" 
checkmark on. 


Member Of Dial4n Environment Sessions 
Remote control Remote Desktop Services Profile COM+ 
General Address Account Profile Telephones Organization 

User logon name: 
Gcopemioocm 
User logon name (pre-Windows 2000): 
|CORP\ Mark 
Logon Hours... Log On To... 
[_] Unlock account 
Account options: 


(J Smart card is required for interactive logon 
(_] Use only Kerberos DES encryption types for this account 
(J This account supports Kerberos AES 128 bit encryption. v 


e 5.1- Backup and restore plan for DNS 


Summary: 


Having a backup is one thing, but restoring is the second part. DNS is a critical component in AD 
and it is important to cover DNS as well in a Disaster Recovery plan for example. 


All the backup of DNS needs to be stored securely, like mention before. However, that does not 
mean, you should store all the back-up data on member servers in AD. 


Attackers are going after backup servers and since many organizations manage AD very poorly. It 
is required to have offline back-ups. 


e Recommendations: Self-Assessment 

- What is our backup procedure for DNS? — Do we make backups every day, week or 
months? 

- Can we confirm that our backup is stored offline as well? 

- Have we practice a DNS restore? 


e 5.2 - DnsAdmins 


Summary: 


As mention before. DNS is a critical component in AD, and usually. Users who need to do 
"something" with DNS. Are part of the DnsAdmins group in Active Directory. 


Since this group has elevated rights and often has more rights than needed. It is recommended 
to keep it very limited. 


e Recommendation: 


DNS Management does not require full DnsAdmins right. Users often need to create some DNS 


records, and that is it mainly. Because it is rarely, that someone needs to create a new Forward 
Lookup Zone. 


Delegating a group on the DNS Object with only "Read" permission is enough. From there they 
are allowed to create DNS records. 


In this example. Engineering is a group that has Read permission on the DNS Object. Everyone in 
Engineering can now create a DNS record, because by default, Authenticated Users has "Create 
all child objects" on the Forward Lookup Zones. 


DC Properties ? x 


Interfaces Forwarders Advanced Root Hints 
Debug Logging Event Logging Monitoring Security 
Group or user names: 
82 SELF A 
S2 SYSTEM 
&2 DnsAdmins (CORP\DnsAdmins) 


Engineering (CORP\Engineering) 
82 Domain Admins (CORP\Domain Admins) 
§2 Entemrise Admins (CORP\Enterrise Admins) ~ 


Permissions for Engineering 


= 


Full control 

Read 

Write 

Create all child objects 
Delete all child objects 


OOONO|#? 


For special permissions or advanced settings, click Advanced 
Advanced. 


e 6.1-— Backup and restore plan for DHCP 


Summary: 


Like DNS, DHCP is also a crucial part to cover as well. Ensure that a backup and restore plan is in 
place, when restoring a DHCP backup. 


Recommendations: Self-Assessment 


e What is the backup procedure for DHCP? — Do we make backups every days, weeks or 
months? 

e Can we confirm that we DHCP backups, stored offline? 

e When was the last time that you have practiced a DHCP restore? 


e 7.1-— Backup and restore plan for AD CS 


Summary: 


PKI is a Tier O component, especially at financial institutions. Having back-ups of PKI and being 
able to restore is very important. 


However, it depends a lot, on what PKI is used for. A proper risk assessment needs to be done on 
PKI to understand the business value behind it. What happens when an attacker has 
compromised your PKI? 


Recommendations: Self-Assessment 


e What is the backup procedure for PKI? 
e Are backups of PKI stored offline as well? 
e When was the last time that you have restored PKI? 


e 7.2 —Enable auditing rules on PKI 


Summary: 


Enable auditing rules is important, but it depends a lot, on what PKI is used for in the business. A 
proper risk assessment needs to be done to understand if it is worth to collect AD CS event logs. 


In our example. PKI is a critical component for an organization, which means that it needs to be 
secure at a high-level. 


An important aspect is to enable auditing rules to collect visibility. 


Contoso Corp CA Properties ? x 


Extensions Storage Certificate Managers 


General Policy Module Exit Module 
Enroliment Agents Recovery Agents Security 


To start logging events to the security log, you must enable the ‘Audit object 
access’ setting in Group Policy. 

Events to audit: 

[_] Back up and restore the CA database 

[_] Change CA configuration 

[_] Change CA security settings 

[_] Issue and manage certificate requests 

[_] Revoke certificates and publish CRLs 

(_] Store and retrieve archived keys 

[_] Start and stop Active Directory Certificate Services 


e Recommendations 


Start with enable the auditing rules, but don’t enable all the auditing rules immediately, because 
it can cause a lot of noise. 


1. These are the auditing rules that | would recommend enable 


Contoso Corp CA Properties ? x 
Extensions Storage Certificate Managers 
General Policy Module Exit Module 


Enrollment Agents Auditing Recovery Agents Security 


To start logging events to the security log, you must enable the ‘Audit object 
access’ setting in Group Policy. 


Events to audit: 

Back up and restore the CA database 

Change CA configuration 

Change CA security settings 

[_] Issue and manage certificate requests 

] Revoke certificates and publish CRLs 

Store and retrieve archived keys 

(_] Start and stop Active Directory Certificate Services 


2. Enable the following audit policy at Advanced Audit Policy 
e Audit Certification Services: Success and Failure 


Audit Certification Services Properties 
Policy Explain 
Audit Certification Services 


_& 


Configure the following audit events: 
Success 


e 7.3— Monitor relevant PKI event logs 


Summary: 


After enabling the audit policies at the PKI level. There are different event logs that should form a 
basic for an organization. All of these event logs might be worth to load in a SIEM solution and 
monitor it, but as said before. A risk assessment needs to be done on PKI first to understand if it 
is worth to monitor PKI. 


Here are a few examples: 


Event ID Description Priority 

4882 The security permissions for 
Certificate Services changed 

4890 The certificate manager set- 
tings for Certificate Services 
changed. 

4900 Certificate Services template 
security was updated. 

4896 One or more rows have been 
deleted from the certificate 
database. 

4891 A configuration entry 
changed in Certificate Ser- 
vices. 

4873 A certificate request exten- 
sion changed. 

4877 Certificate Services backup 
completed. 

4879 Certificate Services restore 
completed. 


e 7.4— Hardening settings for PKI 


Summary: 


Create a GPO with the following security settings that needs to be applied on the PKI servers. 


e Security Options 


logged on-user only 


Accounts: Administrator account status Disabled 
Accounts: Rename Administrator account PKlAccount 
Accounts: Rename Guest account PKIGuest 
Devices: Restrict CD-ROM access to locally Enabled 


Network Security: LAN Manager authentica- 
tion level 


Send NTLMv2 responses only. Refuse LM & 
NTLM 


munications (always) 


Microsoft network client: Digitally sign com- Enabled 
munications (always) 
Microsoft network server: Digitally sign com- | Enabled 


It is understandable if IT Admins are creating a new local Administrator account as their "break- 


glass" account. 


e 8.1-Fine-Grained Password Policies for Service Accounts 


Summary: 


Service accounts often have poor passwords, which makes it likely that attackers are going after 


those accounts. Service accounts are rarely changed, but to enforce that service accounts will 


have a strong password. 


This is an example where | have a few SQL service accounts that | just created. 


Name Type 
3 CM 2012 Client Network Acess User 
@, NDES Service User 
3 SQL Agent Service Account User 
3, SQL DB Engine Service Account User 
3, SQL Reporting Service Account User 


Description 

Service account used as the network access account for Confi... 
Service account used by NDES. 

Service account used to run SQL Server 2012 Agent service 
Service acount used to run SQL Server 2012 database engine 
Service account userd to run SQL Server 2012 reporting services 


All the service accounts are part of the SQL service accounts group. 


SQL Service Accounts Properties 


General Members MemberOf Managed By 
Members: 


? x 


Name Active Directory Domain Services Folder 


& CM 2012 Clie... com.contoso.com/Accounts/Services 
&% NDES Service _com.contoso.com/Accounts/Services 
.s SQL Agent S.... comp.contoso.com/Accounts/Services 
&% SQL DB Engi... corp.contoso.com/Accounts/Services 
% SQL Reportin... corp.contoso.com/Accounts/Services 


It is recommended to enforce them having a strong for service accounts, but we had great fea- 


tures like Managed-Service accounts. Unfortunately, not all of those service accounts were able 


to support it. 


e Recommendation 


Start with enforcing service accounts having at least a 20 long character as a password. 


Open Active Directory Administrative Center and follow the instruction below: 


e Click on corp (local) 
e = Click on System 


e Click on Password Settings Container 


e Click New 


Ez Overview 


Find in this column 


corp (local) > Accounts 
..\Password Settings Conti... @ builtin 
@ Computers 
MB Dynamic Access Control » ie 
BE Domain Controllers 
Authentication » 


B® ForeignSecurityPrincipals 
Ml Keys 


P Global Search 
MB LostAndFound 
MM Managed Service Account: 
MB NTDS Quotas 
M@ Program Data 
— Sn 
M& TPM Devices 
MB Users 


ae a ee oe aw 


vy 


Find in this column 
MB AdminSDHolder 
M& ComPartitions 
MM ComPartitionSets 
Ml Default Domain Policy 
Ml Dfs-Configuration 
MB DomainUpdates 
Mi File Replication Service 
MM FileLinks 
MM IP Security 
MM Meetings 
MB MicrosoftDNS 
P; d Sett 


Password Settings Container 
New 
Delete 
Search under this node 


Properties 


Here | am configuring the password settings for the service accounts. 


Create Password Settings: Password Security 


Password Settings + Password Settings 


Directly Applies To 
Name: 


* 20 


Precedence: 


[¥] Enforce password history 


[¥] Protect from accidental deletion 


iv] Enforce minimum password length 
Minimum password length (characters): 


Number of passwords remembered: 


2 Password Security 


%* (25 


24 


[¥] Password must meet complexity requirements 


Store password using reversible encryption 


Directly Applies To 


Name Mail 


SECTIONS ¥ 


[ TASKS ¥ 


YW 


Password age options: 


¥| Enforce minimum password age 
User cannot change the password withi... % 1 


/} Enforce maximum password age 
User must change the password after (... 9 42 


Enforce account lockout policy: 
Number of failed logon attempts allowed: 
Reset failed logon attempts count after (m... * 30 
Account will be locked out 
® For a duration of (mins): * |30 
Until an administrator manually unlocks the account 


SQL Service Accounts 


Now when resetting a service account that is part of the SQL Service Accounts group, and you 
have picked a poor password. It will be denied. 


Every time, when an account is part of the "SQL Service Accounts" group. Password settings will 
be applied to the account. 


Active Directory Domain Services x 


Windows cannot complete the password change for NDES Service 
because: 

The password does not meet the password policy requirements. Check 
the minimum password length, password complexity and password 
history requirements. 


e 8.2 —Fine-Grained Password Policy for IT Admins 


Summary: 


High-privileged users in a Windows network, which are usually IT Admins. Need to have a strong 


password as well. Creating a fine-grained password policy for those accounts with a minimum of 
14-16 character would be great. 


In this example. | have three members in the "Engineering" department. All of them have access 
to lots of systems in the network, and | want to be sure that they have a strong password. 


Engineering Properties ? x 
Object Security Attribute Editor 
General Members Member Of Managed By 
Members: 
Name Active Directory Domain Services Folder 
& Craig Dewar corp.contoso.com/Accounts/Users 
& Jeff Wang corp.contoso.com/Accounts/Users 


% Paul West corp.contoso.com/Accounts/Users 


e Recommendation 


Create a Fine-Grained Password Policy for IT Admins with the goal to enforce a longer password. 


SECTIONS _¥ 


Create Password Settings: Engineering 


Password Settings 


Directly Applies To 


Password Settings 


Name: a Engineering 
Precedence: * 14 


Enforce minimum password length 
Minimum password length (characters): * 16 


Enforce password history 
Number of passwords remembered: % 24 


Password must meet complexity requirements 
(_] Store password using reversible encryption 


Protect from accidental deletion 


Description: 
Password Policy for Engineers 


Directly Applies To 


- 


Name Mail 


(7) (8) (a) 


Password age options: 
Enforce minimum password age 
User cannot change the password withi... 1 
Enforce maximum password age 
User must change the password after (... * 42 
(_] Enforce account lockout policy: 
Number of failed logon attempts allowed: 
Reset failed logon attempts count after (m... * (30 
Account will be locked out 
® For a duration of (mins): * |30 
Until an administrator manually unlocks the account 


(7) ® A) 


a 


e 8.3 — Upgrade Default Password Policy 


Summary: 


Default Password Policy in AD makes it much easier for attackers to perform Password spraying 
attacks to obtain credentials. 


A default password policy is often around 7-8 characters. Up to you to increase the password 
policy to something like at least 12-14 characters. 


Windows PowerShe 
Copyright (C) 2016 Microsoft Corporation. All rights reserved. 


PS C:\Users\Mark> accounts /domain 

Force user logoff how long after time expires? 
Minimum pas d age ( S 
Maximum p word age ( 
Minimum p word len - 
Length of pa rd history maintained: 
Lockout thre : 

Lockout duration (minutes): 

Lockout observation window (minutes): 
Computer role: 

The command completed successfully. 


\- 
Js 

/ 

5 


e 9.1-—Accounts with SPN in Domain Admins 


Summary: 


Accounts that have a SPN and are a member of Domain Admins group or equivalent is a huge 
risk. Every attacker is able to request a service ticket from that SPN account and is able to export 
those tickets, and crack it offline. 


Service accounts are everywhere. It is difficult to give clear in-depth details on what groups you 
should check, because you might have custom-delegated groups with service accounts in it. 


Start with looking if you have accounts with a SPN in groups like Administrators, Domain Admins, 
Enterprise Admins, Account Operators, DnsAdmins. 


e This isa common example, where we have a few SQL service accounts in Domain Admins. 
Domain Admins Properties ? x 


General Members MemberOf Managed By 


Members: 
Name Active Directory Domain Services 
2 Administrator corp.contoso.com/Users 
2 CM 2012 Client Network Acess corp.contoso.com/Accounts/Sen| 
2 Mark Hassall corp.contoso.com/Accounts/Use 
2 Peter Houston corp.contoso.com/Accounts/Use 


§ SQL Agent Service Account corp.contoso.com/Accounts/Ser 


.s SQL DB Engine Service Account com.contoso.com/Accounts/Se: 
2% SQL Reporting Service Account —_corp.contoso.com/Accounts/Se 


Service accounts are rarely changed, so it is not a surprise if an attacker is able to crack that pass- 
word very easily. 


Users \Mark> user SQLAgent /do 
name SQLAgent 
Name SQL Agent Service Account 
Service account used to run SQL Server 2012 Agent service 
-"s comment 
Country/region code 000 (System Default) 
Account active Yes 


Account expires Never 


last set 1/18 
expires Never 
changeable 1/19 
required Yes 
change password Yes 


e Recommendation 


(Service) Accounts with a SPN, should never be a part of the Domain Admins group. Vendors are 
often requiring this, but why do you want this actually? 


Every Domain Admin is a risk more for an organization. There is no reason to assign someone Do- 
main Admin, rights. 


Try to contact your vendor to understand what rights it needs. Besides of that, stop accepting 
vendors requiring Domain Admins, right. Push back. Don't make any deals with them. 


Domain Admins is only required for the following tasks: 


e Raise Domain Functional Level 
e Promote a Domain Controller 


All the other rights can be delegated. 


e 9.2 — Accounts with Pre-Authentication disabled 


Summary: 


When pre-authentication is disabled. Every person on the network is able to request authentica- 
tion data, so the KDC will return an encrypted TGT, which can cracked offline. 


Usually this feature is set on service accounts for compatibility reasons. 


e Here is an example where we can see that an account has pre-authentication disabled. 


Heidi Steen Properties ? x 
Member Of Dialin Environment Sessions 
Remote control Remote Desktop Services Profile COM+ 


General Address Account Profile Telephones Organization 
User logon name: 
heidi @corm.contoso.com v 


User logon name (pre-Windows 2000): 
CORP\ | | Heidi 


Logon Hours... Log On To... 


[_] Unlock account 


Account options: 


(_] Use only Kerberos DES encryption types for this account 
(J This account supports Kerberos AES coe AI 


e Recommendations 


First thing is to get an overview of all the accounts that have pre-authentication disabled. 


Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol 


useraccountcontrol 


: CN=Mark Hassall ,OU=Users ,OU=Accounts , DC=corp,DC=contoso, DC=com 
: True 

: Mark 

: Mark Hassall 

> user 

: 5e€3432fb-336b-4a7b-b3cd-9F 6FFb4b2a9c 


-1709913503-1103 
seraccountcontrol : 
UserPrincipalName 


DistinguishedName : CN=Heidi Steen,OU=Us 
: True 
: Heidi 
: Heidi Steen 


AccountName 


me 
ccountcontrol : 


The second part is to look if those accounts are still in use, if not. Disable them, and later on. De- 
lete them. This setting is usually set on service accounts, but if pre-authentication is disabled on 
a regular user account. It is a finding. 


e 9.3 —-Servers with Unconstrained Delegation 


Summary: 


Unconstrained Delegation gives the ability to a service to impersonate a user to every other Ker- 
beros services on the network. 


The risk behind Unconstrained Delegation is that when a user signs into a server with Uncon- 
strained Delegation. A TGT of the user will be attached with TGS to represent it later to the ser- 
vice, so when a user access the server. TGT will extracted into the memory and the service will be 
able to impersonate the user to every Kerberos services. 


This is a serious risk, and Microsoft has recommended. Never ever use this kind of configuration 
again. 


e Find servers with Unconstrained Delegation 


Get-ADObject -filter { (UserAccountControl -BAND 0x0080000) -OR (UserAccountControl - 
BAND 0x1000000) -OR (msDS-AllowedToDelegateTo -like '*') } -prop Name,ObjectClass, Prima- 
ryGroupID,UserAccountControl,ServicePrincipalName,msDS-AllowedToDelegateTo 


Name .ObjectClass Pri 


om, TERMSRV/OC, 


> CN=CM,OU=Servers ,OU=Accounts,|I 
- o™ 


UserAccountContro!l 


e Recommendation 


Servers with Unconstrained Delegation are dangerous, but they have configured from ten years 
ago. In that time, security was not a huge topic. 


e Tier 0 admins needs to be part of the Protected Users group in AD and the "Account is 
sensitive and cannot be delegated" checkmark needs to be enabled. 

e Limit, but also monitor the local Administrators group on the Unconstrained Delegation 
servers. 

e Try if possible. Limit as much as connection to the Unconstrained Delegation servers. 

e Block internet access on Unconstrained Delegation servers 


e 10.1 — Ensure AdminSDHolder is in a clean state 


Summary: 


AdminSDHolder is a container inside active directory that maintains a master list of permissions 
for objects that are members of privileged groups (AdminCount=1) in active directory. 


Every hour, there is a mechanism called an 'SDProp" that will compare the permissions of an 
account that is part of a high-privileged group with the likes of Domain Admin to the security per- 
missions of the AdminSDHolder. 


If an attacker or an insider is able to modify the ACL of the AdminSDHolder. All the permissions 
will be applied on the protected objects, which gives an attacker a sort of "persistence" 


| can guarantee that | see this a lot in environments. 


e Here is an example where "Engineering" has been "Full control" permissions on the 
AdminSDHolder container 


| Advanced Security Settings for AdminSDHolder Oo 


Owner: Domain Admins (CORP\Domain Admins) Change 
Permissions Auditing Effective Access 


For additional information, double-click a permission entry. To modify a permission entry, select the entry and click Edit (if available). 


Permission entries: 


Type Principal Access Inherited from Applies to 
82 Allow Everyone Special None This object only 
82 Allow SELF Special None This object only 
82 Allow SELF Special None This object and all descendan... 
82 Allow Domain Admins (CORP\Do... Special None This object only 
82 Allow — Enterprise Admins (CORP\En... Special None This object only 
82 Allow — Engineering (CORP\Engineer... Full control None This object only 
§2 Allow Pre-Windows 2000 Compatib... Special None This object only 
&2 Allow Administrators (CORP\Admi... Special None This object only 
82 Allow Authenticated Users Special None This object only 
82 Allow SYSTEM Full control None This object only 


e Recommendations 


Be careful when delegating permissions on the AdminSDHolder container. Users or groups with 
"Full control" or "Write all properties" and equivalent, creates escalation paths to all the high- 
privileged groups in AD. 


It is recommended to keep the AdminSDHolder in a clean state, which means that no users or 
groups should been delegated on the object. 


e 10.2 —Create fake service account to detect Kerberoast 


Summary: 


Every (service) account that contains a SPN is actually at risk, because every authenticated user 
has the rights to request the service ticket from that account and crack it offline. 


It is not here to sell you FUD, but to make you aware how easy it is nowadays. Which is also why 
service accounts need to have a strong password with at least of 20 characters. 


A great way to catch an attacker is to create a fake service account that contains a SPN. 
e Here is a fake service account in Domain Admin. 


Domain Admins Properties ? x 


General Members Member Of Managed By 


Members: 
Name Active Directory Domain Servic 
2 Administrator corp.contoso.com/Users 
8, CM 2012 Client Network Acess corp.contoso.com/Accounts/S 
2 Mark Hassall corp.contoso.com/Accounts/L 
2 Peter Houston corp.contoso.com/Accounts/L 
2 SQL Agent Service Account corp.contoso.com/Accounts/S 
2 SQL DB Engine Service Account corp.contoso.com/Accounts/S 
SQL Honey Account corp.contoso.com/Accounts/3 


», SQL Reporting Service Account corp.contoso.com/Accounts/S 


e A fake SPN has been assigned to the service account 


16 Microsoft Corpor yn. All rights reserved. 


system32> 
n DC=corp,DC=con 


c/corp. contoso. com:1443 SQL_Honey 


rvicePrincipal s for CN=SQL Honey Account ,OU=Services ,OU=Accounts , DC=corp,DC=contoso,DC=com 
corp. contos¢ 


e Recommendations 


Now when someone is requesting a service ticket from this SQL_Honey account. An event log will 
show up in the Security logs. Since this fake service account maps to nothing. An alert should go 
off. 


System. IdentityModel 
System. IdentityModel. Tokens. KerberosRequestorSecurityToken 


: uuid-235881d6-d654-47c2-99e5 -5969304c5 3ad-1 
SecurityKeys : {System. IdentityModel. Tokens. InMemorySymmetricSecurityKey} 
falidFrom 71 02 


jalidTo 
ServicePrincipalName : 


SecurityKey 


General Details 


A Kerberos service ticket was requested. 


Account Information: 


Account Name: Mark@CORP.CONTOSO.COM 
Account Domain: CORP.CONTOSO.COM 
Logon GUID: {321¢362f-522b-98eb-c3d9-33f9ddb32d3a} 


Service Information: 
Service Name: 


Service ID: 

Network Information: 
Client Address: <1 
Client Port: 0 


Additional Information: 


Ticket Options: 0x40810000 
Ticket Encryption Type: 0x17 
Failure Code: 0x0 


Transited Services: - 


e 10.3 — Monitor high-privileged groups 


Summary: 


Monitoring high-privileged groups is necessary to keep an eye on privileged abuse. There are 
people who like to take the short road, which is adding random service accounts to groups like 
Domain Admins for example. 


Since we know that adding service accounts to high-privileged groups is insecure. We need to en- 
sure that we have alerts on this. 


e User "Dan" has been added to the Domain Admins, group. 


Is there an alert going off if this is happening? 


e Recommendations 


Monitor the following security event log and make sure bells are going to ring, when this occurs. 


Event ID Description 
4728 A member was added to a security-enabled 
global group 


e Mark added Dan to the Domain Admins, group. 


Event 4728, Microsoft Windows security auditing. 


General Details 


A member was added to a security-enabled global group. 


Subject: 
Security ID: 
Account Name: Mark 
Account Domain: CORP 
Logon ID: 0x12E11D 
Member: 
Security ID: 
Account Name: CN=Dan 


Park,OU=Users,OU=Accounts,DC=corp,DC=contoso,DC=com 


Group: 
Security ID: 
Group Name: Domain Admins 
Group Domain: CORP 


Additional Information: 
Privileges: - 


e 10.4 —- Event logs to monitor 


Summary: 


Relevant event logs from the Domain Controller that needs to be monitored. No need to filter 
anything, but just monitoring on the event ID, itself. 


Event ID Description 

1100 The event log service has shutdown 

1102 The audit log was cleared 

Event ID Description 

4704 A user right was assigned 

4705 A user right was removed 

Event ID Description 

4715 The audit policy (SACL) on an object was 
changed 

4719 System audit policy was changed 

Event ID Description 

4728 A member was added to a security-enabled 
global group 

4729 A member was removed from a security-ena- 
bled global group 

Event ID Description 

4771 Kerberos pre-authentication failed 

4772 A Kerberos authentication ticket request 
failed 

4773 A Kerberos service ticket request failed 

Event ID Description 

4780 The ACL was set on accounts which are mem- 


bers of administrators groups 


e Recommendations 


Start with collecting the above event logs and create priorities for them. If done, try to find a so- 
lution to forward all those event logs to a central point, like a SIEM. 


The following security event logs might be value as well: 


Event ID Description 

4742 A computer account was changed 

Event ID Description 

4946 A change has been made to Windows Firewall 
exception list. A rule was added 

4947 A change has been made to Windows Firewall 
exception list. A rule was modified 


e 11.1 —-Deploy Microsoft Administrative Tier Model 


Summary: 


Microsoft has developed a model with the name "Administrative Tier Model" and it is a great 
way to mitigate credential theft. 


Domain Admins were usually login into multiple lower trusted servers and workstations, which 
means that they exposed their credentials in memory. Since then, a model has been introduced 
to mitigate these kind of attacks, which only allows Domain Admins or known as Tier 0 admins 
logon critical servers (Tier O servers), with the likes of Domain Controllers, Azure AD Connect, 
ADFS, PKI, NPS, etc. These are usually the Tier O servers 


Administrative Tier Model exist with three layers, which are Tier 0, Tier 1, and Tier 2. 


Tier 0 contains servers like Domain Controllers, AZure AD Connect, ADFS, PKI, etc. Domain Ad- 
mins or equivalent are usually the one's, who are managing these servers. 


Tier 1 contains important servers, but not critical. A few examples are SQL Servers, File servers, 
Print Servers, etc. Tier 1 are usually the server admins. 


Tier 2 contains workstations. Tier 2 admins are usually the helpdesk / workstation admins that 
are taking care of workstations. They help to troubleshoot problems, when someone is calling 
the desk. 


All of the Tier admins can only logon their own "Tier zone", so for example. Tier 0 admins cannot 


logon Tier 1 servers or Tier 2 workstations, and vice versa. 


Tier 1 = | jy gc 


“ TIC Gos 


e Recommendation 


Deploying MS Administrative Tier Model can take some times, because it requires testing and 
planning, but this does not mean you shouldn't implement it. 


e How does it looks like? 


We created a bunch of OU's with all the right objects in it, and the second important part is to 
use Group Policy to deny logon access. 


e Example 


Tier O admins are not allowed to logon Tier 1 & Tier 2 their zone, so a Group Policy needs to bein 
place to deny logon access through User Right Assignment. 


=| Active Directory Users and Computers [DC.corp.contos¢|| Name Type Description 
a Saved Queries il Tier 0 
v i corp.contoso.com i) Tier 1 
a) Accounts 
v ial Admin 
v @ TierO 
@) Accounts 
@ Devices 
@) Groups 
@) Service Accounts 
@ Tier 0 Servers 
v @ Tier1 
@) Accounts 
a Devices 
@) Groups 
B) Service Accounts 
@) Tier 1 Servers 
v @ Tier2 
@) Accounts 
@ Devices 
@) Groups 
GB) Service Accounts 
@) Tier 2 Workstations 


Organizational... 
Organizational... 
BS) Tier 2 Organizational... 


e 11.2 — Define which assets belong to Tier O 


Summary: 


Define which assets belong to Tier 0 has always been misunderstanding. Usually people thought 
it would be just the Domain Controllers, but this is a misconception. 


Tier 0 servers are the most critical servers in an organization. If one of those servers would be 
compromised. It would have immediately business impact. 


Here are a few examples on servers that needs to be managed from a Tier 0 


e Domain Controllers 
e Azure AD Connect 
e ADFS 

e PKI 


There is a huge chance that those servers are not only one, because you might have other critical 
servers as well, which means. A risk assessment needs to be done to define if there are other 
servers that needs to be managed from a Tier 0. A simple example is to ask yourself the following 
question: "If server X goes down. Can business still go further?" 


e Risk Assessment 


This is an example, but | recommend you to do this kind of risk assessment as well to have a bet- 
ter understanding of your Tier O assets. 


Server Description Business Impact 


Domain Controller Handles authentication for Management would probably 
users in a Windows network run with their hair on fire if all 
the DC's were down or com- 


promised. 
Azure AD Connect Responsible for synchronizing e Attacker can leverage 
passwords to Azure to Azure AD Connect 
to obtain Domain 
Dominance 


e Escalate privileges to 
AAD permissions of 
the Sync account in 
Azure 


e 11.2 —- Manage GPOs in a Tier Model 


Summary: 


GPOs that are linked to Tier 0 assets needs to be managed by Tier 0 admins as well or otherwise 
potential privilege escalation might occur. It is very common to see that organizations have some 
sort of Tier Model in place, but there might be misconfigurations in place, which allows someone 
from Tier 1 escalating privileges to a Tier O asset. 


e Here are all the Tier O assets that have been marked with red. 


og Active Directory Users and Computers [DC.corp.contos¢|| Name Type Description 


(> Saved Queries iS! Tier 0 Organizational... 


WD Tier 1 Organizational... 
G Accounts Sl Tier 2 
v B) Admin 
v a} Tier 0 
@) Accounts 


=) Groups 


v Tier 1 
=) Accounts 


Organizational... 


its 


i 


a) Devices 
@) Groups 
a) Service Accounts 
GS) Tier 1 Servers 
v @) Tier2 
3) Accounts 
a) Devices 
3) Groups 
@) Service Accounts 
a) Tier 2 Workstations 


e GPOs of Tier 0 admins 


All of this needs to be managed by Tier 0 admins. 


Domain Policy Tier O 
OU=Domain Controllers Tier O 
OUs=Tier O servers Tier O 
OU=Tier 0 devices Tier O 


e Recommendation 


Example 1 


ex, Group Policy Management 
v A Forest: corp.contoso.com 
v |B Domains 
v  corp.contoso.com 
a, Default Domain Policy 
a, Internet Explorer Zone Settings 
a, Remote Desktop Access 
ai, Windows PowerShell Execution Policy 
» B) Accounts 


'v 3) Domain Controllers 
a=, Default Domain Controllers Po 


1h Group Policy Management 
v A Forest: corp.contoso.com 
v & Domains 
corp.contoso.com 
| Default Domain Policy 
a, Internet Explorer Zone Settings 
i, Remote Desktop Access 
=,| Windows PowerShell Execution Poli 
3) Accounts 
(B) Domain Controllers 
im, Default Domain Controllers Policy 
> (> Group Policy Objects 
>» OS WM I Filters 
» (Bp Starter GPOs 


All the Group Policy Objects that are linked to any Tier O asset, needs to be managed from a Tier 


Default Domain Controllers Policy 
Scope Details Settings Delegation 
These groups and users have the specified permission for this GPO 


Groups and users: 
Name . Allowed Permissions 
& Authenticated Users Read rom Security Filtering) 
&, Domain Admins (CORP\Domain Admins) Custom 
&, Enterprise Admins (CORP\Enterprise Admins) Custom 
42, ENTERPRISE DOMAIN CONTROLLERS Read 


Hf, SYSTEM Edit settings, delete. modify security 
Default Domain Policy 


Scope Details Settings Delegation 
These groups and users have the specified permission for this GPO 


Groups and users: 
Name ° Allowed Pennissions 
& Authenticated Users Read from Security Filtering) 
&, Domain Admins (CORP\Domain Admins) Custom 
&, Enterprise Admins (CORP\Enterprise Admins) Custom 
#2, ENTERPRISE DOMAIN CONTROLLERS Read 


#2, Marketing (CORP\Marketing) Edit settings, delete, modify security 
. Y y Edit settings, 5 if 


0 operations. Otherwise, escalation paths are possible if you do not manage your GPOs well. 


